Is it possible for a web site that uses either Java or Javascript to accomplish the installation (meaning: not just forced download) of an executable on a client Windows system (Windows 7 or newer) when user clicks on only one link on the website?
So in this scenario, the user clicks on a link (e.g. some click-bait link) that is supposed to display some article or a video, on a website. Can this sole single click lead to both a forced download and actual installation of an executable on the users machine?
I do not need, nor am I looking for, explicit detail on how this is done. I am more curious of whether this is even possible with the current Windows OS. In this case the user would be using a recent version of one of the following browsers: IE, FF, Chrome, or Opera.
You are asking about a drive by downloader?
The answer is yes these in java are called applets. Here is come HTML from a webclient what uses an applet.
<HTML>
<HEAD>
<TITLE>Your Webclient</TITLE>
<META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE">
</HEAD>
<BODY>
<applet name="yourclientname" width="765" height="503" archive="client.jar" code="client.class">
<param name="java_arguments" value="-Xmx1024m">
</applet>
</BODY>
</HTML>
For a hacker to do it all they need to do is change the .jar and .class in the above. And Java will prompt you to ask if you want to run the applet once you click yes it will run java code normally a dropper. Btw most hackers don't install stuff they either sneak into registry or they simply put a copy of their exe or .jar into your startup folder.
You will have a chance to say no as stated above its just an allow or disallow option. The rest of the HTML can be used to load a picture or whatever. Here is what the allow screen looks like,
http://openigloo.org/wp-content/uploads/2011/05/signed-applet.jpg
Related
I have a html file, there are links in it, I wonder if there is a way to use those links to call a java program to generate another html file ?
Something like this :
<Html>
<body>
Some text
<A Href=[somehow point to a java .class file to run]>My Link</A>
More text
</Body>
</Html>
I know how to use Java to generate html, what I'm asking here is how to pass a parameter to this local java class so that it can generate html file with the input ?
So if the Java program is called : MyHtmlGen.java
Then the class will be MyHtmlGen.class
And then if I run it from the command line, it would be like this :
> java MyHtmlGen my_input
But I don't know how to turn that into the html link above ?
You could use WebStart to launch an Java application from a browser interaction.
The section of the linked documentation titled: "Running a Java Web Start Application From a Browser" provides a demo you can try. The link to the Java application is provided as:
Launch Notepad Application
That documentation states that when you click the link:
Java Web Start software loads and runs the application based on instructions in the JNLP file.
That isn't the behavior I get on Safari 7.1 on OS X 10.9 with Oracle Java 8u40 installed. Instead, I just get the jnlp file downloaded and can double click on the downloaded file to run the application. I think on some browsers, Oracle may provide a plugin to the browser which is able to launch the jnlp referenced application automatically without the user having to also double click on a downloaded jnlp file. Perhaps if the Java deployment toolkit were used, rather than a straight a href link, the user experience might be a bit more seamless.
Note: browser manufacturers have been phasing out support for plugin technology like this, so the experience or even the ability to automatically run the referenced application may vary for both you and your users. Additionally, allowing such plugins to run within a browser environment can increase the security attack vulnerability surface for a user's browser. WebStart is also quick a tricky technology to use and support for your users. So for these reasons I normally don't recommend using WebStart as a deployment solution.
That's just impossible. A link <a> will fire a GET request to the server for the URI set in the href attribute, it's not meant to execute a specific piece of code. If you want to execute code when clicking a link, use JavaScript, but be aware that JavaScript cannot start an instance of JVM and run your exact Java application.
On the other hand, maybe you should look into Applet or JavaFX and embed the java application in your page. Or probably you may submit an action to the server, and at server side you may start the JVM and execute your Java code.
I have problems running Java applets locally, i.e. the class files reside in the local file system, not on a server. The following example
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<body>
<applet code="Java10Test.class"
width=200
height=200
codebase="http://www.cis.upenn.edu/~matuszek/General/JavaVersionTests/"
>
</applet>
Text ...
</body>
</html>
works well with Firefox 23 and Oracle Java 7u25. But it does not work if I download Java10Test.class to my local machine and put it in the same folder as the .html no matter what codebase I use. I tried codebase="." and codebase="file:///pathToTheFolder" without success. Firefox does not even reserve the 200x200 space for the applet. Java is also not started in the background (the Java console does not open as it does for all other applets), i.e. it is not a Java security issue. There are no warning/error messages.
The local version works in Chrome without problems. The behaviour is reproducable on different machines (Mac/Linux).
What is the correct way to use applets locally in Firefox? I need this for a system without access to the internet.
What is the correct way to use applets locally in Firefox?
Run them from a server at localhost (e.g. install Apache) and they should show the same behavior as on the net.
..it would still be interesting, why the local class file is not used properly.
I'd suggest it is related to security. IE has long prompted an HTML running a script when it is loaded from the local file system. In general, 'a network' is considered a safer environment than your own disks.
Incidentally, I run FF and noted it recently started failing when running the Deployment Toolkit Script used for embedding applets and launching JWS apps. I had not realized it simply (and completely) ignored 'local (unjar'd, unsigned) applet elements' until I tested with yours. The fact it ignores them without warning or prompt is ..disturbing, at least for developers who have to write or maintain applets. :(
The only way to be confident an applet is loaded successfully, is to use JS to query the applet after it is loaded. If a public method of the applet cannot be accessed from JS after a specific time, presume the applet failed to load for whatever reason and proceed from there.
This is a known bug in Firefox 23. It should block the use of locally insecure codebases like .. but accidentally blocks other local paths, too.
The currently known workarounds are:
set security.fileuri.strict_origin_policy=false in about:config
use a local web server instead of local files as suggested in the other answer
<html>
<head>
<title>Game</title>
</head>
<body>
<applet code="game/Game" name="Game" archive="Game.jar" width="800" height="600">
No java support.
</applet>
</body>
I'm currently trying to run the above html code in a web browser in order to display my java applet game. The html file is in the same directory as the jar file. What happens when I open the html page is that it asks me if I want to trust the applet (which I just digitally signed myself), and when I say yes, it just displays a blank screen. Also, my CPU usage increases noticeably, so I imagine something is getting stuck.
I can run my applet in Eclipse with no problems. Furthermore, I realize the applet tag is deprecated, however I'm not looking to make this too complicated, plus I need it to run on computers with very outdated browsers.
So, what could the reasons be that my applet will not display? I receive no errors/exceptions, it just shows a white area where my applet should be. Also, when I put the mouse over that area, the cursor does change to what it would be if it were over an applet.
EDIT: Interestingly enough, I was clicking around on the white area where the applet should be, and managed to make one of my in applet menu texts come up. I'm thinking that maybe my images are just not showing up. Why might this be the case?
This question already has answers here:
Java Error: "Your security settings have blocked a local application from running"
(10 answers)
Closed 9 years ago.
I have a Java applet that displays a simple image. I have the following HTML markup to run the applet:
<!DOCTYPE html>
<html>
<head>
<title>Traffic Light Demo</title>
</head>
<body>
<applet code="TrafficApplet.class" width="300" height="400">
</applet>
</body>
</html>
The applet I am trying to run is in the same directory as this HTML file. It was running just fine until last weekend when I updated my JRE to update 21 (I also updated my JDK to the latest version at the same time.
I'm running a 64 bit Windows 7 system.
The problem I'm having is that when I try to run the HTML file I get an error that says:
Application Blocked by Security Settings
Your security settings have blocked a local application from running.`
It was suggested to me that I try the following;
Open Control Panel, select Programs, select Java, select the Security tab, and move the slider to Medium (it defaults to High). I tried that. It had no effect. Also, when I close the Control Panel, try to re-run the HTML file, it fails, then try go back to the security setting, it has gone back to the High setting.
How do I fix this?
Most of the newer HTML5 documents have the
!DOCTYPE html
heading, which the applet tag is now appreciated in HTML5. I am not sure as to how to load an applet, but when I tried an Applet in HTML5, it didn't support it. Also, the update might have caused the newer Java to conflict with whatever coding is in your applet.
I have a problem when I use the applet tag within Internet Explorer 6.
Here is the code I use:
<APPLET
height=1024
archive=consignation-applet-signed.jar,httpclient-4.0.1.jar,httpcore-4.0.1.jar,commons-logging-1.1.1.jar,log4j-1.2.14.jar
width=1280
code=PilotageImpression.class>
<PARAM NAME="_cx" VALUE="33867">
<PARAM NAME="_cy" VALUE="27093">
</APPLET>
The problem is that it tries to reach two URL's on Microsoft's website. It's a problem when you are in a closed environment.
I read an article here: http://support.microsoft.com/kb/323207/en-us but it says that the problem is only known when using the OBJECT tag (I use Applet tag)
Does anyone know why does this occur with the applet tag?
If your user has the Next Generation Plug-In (Sun's 1.6.0_10+), it would be easy to deploy this applet along with it's natives, using Java Web Start.
JWS could also launch the applet with natives on versions prior to the next generation plug-in, but they would be free-floating, outside the browser.